Transcription

2 Goal: Understand the common missteps that occur for companies when addressing PCI Compliance Establish an understanding of the collaborative effort required for compliance Benefits: Minimize risk of a breach Reduce the complexity to achieving compliance Increase speed in identifying and responding to threats Reduce resource costs of maintaining compliance 2

5 Market Trends: The Facts 761 security breaches in 2010 (141 in 2009) 89% of victims subject to PCI DSS had not achieved compliance 86% of the breaches were discovered by a third party 86% of the victims had evidence of the breach in their log files 96% of breaches were avoidable through simple or intermediate controls * Source: All data is from the 2011 Verizon Business Data Breach Investigation 5

6 2010 Payment Card Industry Compliance Report Organizations struggled with requirements 1, 10, and 11 Organizations do not appear to be prioritizing their compliance efforts based on the PCI DSS Prioritized Approach published by the PCI Security Standards Council 22% of organizations were validated compliant at the time of their Report on Compliance (ROC). These tended to be year after year repeat clients All of the top 10 threat actions leading to the compromise of payment card data are well within scope of the PCI DSS Source: Verizon Business 2010 Payment Card Industry Compliance Report 6

12 Analysis of the Statistics Achieving PCI compliance is necessary but not a priority Organizations continue to check the compliance box but then struggle to maintain compliance Requirements 1, 10 and 11, which are the most expensive and resource intensive, are the most difficult for organizations to implement and maintain Attacks are not being detected in an acceptable timeframe Organizations that achieve compliance are able to protect their card holder data Companies will continue to fail to achieve compliance due to lack of time, budget, and technical resources 12

13 PCI is Overwhelming Because Large volumes of data to review Log Data Intrusion Data Vulnerability Data Integration of all the alert data is technically complex Companies may not have security/compliance experts in house Organizations are not in the compliance business 13

17 Challenge 2: Intrusion Detection & Vulnerability Assessment Vulnerability Assessment Quarterly vulnerability scans should be the minimum Running scans is easy; tracking down vulnerabilities is hard Some companies look for the easiest way to get a clean scan Tweaking network configurations Removing IP addresses from scope IT security teams find it difficult to explain or justify scan results to management Intrusion Detection Intrusion detection is often dismissed by companies due to the reputation for false positive Companies buy technology to achieve compliance but they don t spend money or invest time needed to effectively use the tools Limited expertise in IT departments to properly take action on security incidents 17

18 Vulnerability Assessment Use a PCI Approved Scanning Vendor (ASV) When choosing a vendor look for reports that provide instructions on how to fix the vulnerability Ensure that you can see a centralized view of your entire network Why does PCI require Vulnerability Assessment: Vulnerabilities are always being exploited by hackers RUN QUARTERLY ASV SCANS STEP BY STEP REMEDIATION INSTRUCTIONS SCAN INTERNAL AND EXTERNAL NETWORKS 18

19 Intrusion Detection Detecting the intrusion is easy knowing what to do next is difficult Intrusions are becoming increasingly sophisticated IT staffs must have the knowledge and expertise to identify and remediate attacks Intrusion Detection protects both the internal and external areas of the network Why does PCI require IDS: IDS enables companies to protect both the perimeter and internal areas of the network AUTOMATE THREAT DETECTION RESPOND QUICKLY TO INCIDENTS PROTECT CARD HOLDER DATA 19

Disclaimer Copyright Michael Chapple and Jane Drews, 2006. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes,

Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security

Payment Card Industry (PCI) Data Security Standard Summary of s from Version 2.0 to 3.0 November 2013 Introduction This document provides a summary of changes from v2.0 to v3.0. Table 1 provides an overview

Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These

Did you know your security solution can help with PCI compliance too? High-profile data losses have led to increasingly complex and evolving regulations. Any organization or retailer that accepts payment

AISA Sydney 15 th April 2009 Where PCI stands today: Who needs to do What, by When Presented by: David Light Sense of Security Pty Ltd Agenda Overview of PCI DSS Compliance requirements What & When Risks

PCI Compliance Top 10 Questions & Answers 1. What is PCI Compliance and PCI DSS? 2. Who needs to follow the PCI Data Security Standard? 3. What happens if I don t comply? 4. What are the basic requirements

PCI DSS Top 10 Reports March 2011 The Payment Card Industry Data Security Standard (PCI DSS) Requirements 6, 10 and 11 can be the most costly and resource intensive to meet as they require log management,

Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 Do you have a member of your organization with dedicated information security duties? 2

Blank slide Project Title slide Project: PCI Are You At Risk? Agenda Are You At Risk? Video What is the PCI SSC? Agenda What are the requirements of the PCI DSS? What Steps Can You Take? Available Services

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND Introduction > New security threats are emerging all the time, from new forms of malware and web application exploits that target

General Standards for Payment Card Environments at Miami University 1. Install and maintain a firewall configuration to protect cardholder data and its environment Cardholder databases, applications, servers,

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014 Agenda Introduction PCI DSS 3.0 Changes What Can I Do to Prepare? When Do I Need to be Compliant? Questions

Automate PCI Compliance Monitoring, Investigation & Reporting Reducing Business Risk Standards and compliance are all about implementing procedures and technologies that reduce business risk and efficiently

WHITEPAPER Automation Suite for Assurance with LogRhythm The Massachusetts General Law Chapter 93H regulation 201 CMR 17.00 was enacted on March 1, 2010. The regulation was developed to safeguard personal

The Comprehensive Guide to PCI Security Standards Compliance Achieving PCI DSS compliance is a process. There are many systems and countless moving parts that all need to come together to keep user payment

It Won t Happen To Me! A Network and PCI Security Webinar Presented By FMS and VendorSafe Agenda Who Is VendorSafe Technologies? It Won t Happen to Me! PCI DSS Overview The VendorSafe Solution Questions

TECHNICAL ASSESSMENT WHITE PAPER PCI Compliance in Multi-Site Retail Environments Executive Summary As an independent auditor, Coalfire seeks to be a trusted advisor to our clients. Our role is to help

for Sage MAS 90 and 200 ERP Credit Card Processing Version 4.30.0.18 and 4.40.0.1 - January 28, 2010 Sage, the Sage logos and the Sage product and service names mentioned herein are registered trademarks

White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption

Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year Over 80% of compromised systems were card present or in-person transactions

PCI: The Dark Side May 2012 Roanoke, VA Agenda The problem Who are they? Why? What do they steal? How do they do it? What can they do with it? How can you stop it? Ron King, Ed Ko, CampusGuard CampusGuard

What Is It? The Payment Card Industry Data Security Standard (PCIDSS), in particular v3.0, aims to reduce credit card fraud by minimizing the risks associated with the transmission, processing, and storage

Security Frameworks An Enterprise Approach to Security Robert Belka Frazier, CISSP belka@att.net Security Security is recognized as essential to protect vital processes and the systems that provide those

A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose

File Integrity Monitoring Challenges and Solutions Introduction (TOC page) A key component to any information security program is awareness of data breaches, and yet every day, hackers are using malware

Any physical access to devices or data held in an Melbourne datacentre that houses a customer s cardholder data must be controlled and restricted only to approved individuals. PCI DSS Requirements Version

SOLUTION BRIEF PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP The benefits of cloud computing are clear and compelling: no upfront investment, low ongoing costs, flexible capacity and fast application